[Hipsec] IESG review of NAT traversal draft and encrypted parameters

Miika Komu <miika.komu@ericsson.com> Mon, 05 November 2018 14:28 UTC

Return-Path: <miika.komu@ericsson.com>
X-Original-To: hipsec@ietfa.amsl.com
Delivered-To: hipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB0E0128BCC for <hipsec@ietfa.amsl.com>; Mon, 5 Nov 2018 06:28:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.771
X-Spam-Level:
X-Spam-Status: No, score=-4.771 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.47, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com header.b=dTUZBVfM; dkim=pass (1024-bit key) header.d=ericsson.com header.b=kIzfbn3L
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zH1btp0I0377 for <hipsec@ietfa.amsl.com>; Mon, 5 Nov 2018 06:28:20 -0800 (PST)
Received: from sesbmg22.ericsson.net (sesbmg22.ericsson.net [193.180.251.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D87941277BB for <hipsec@ietf.org>; Mon, 5 Nov 2018 06:28:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; d=ericsson.com; s=mailgw201801; c=relaxed/simple; q=dns/txt; i=@ericsson.com; t=1541428098; x=1544020098; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=FTcbEyIcRMeuwrlJUCNKiQb/R2JuMENhPB6MR6k8G3g=; b=dTUZBVfMRnH28DZBVLDHa1XtZgh2gPdgBepGwrwevYTHmOFj3e95o+ftNpt+tMgM /Y6GZM/TspRUdRTu0T9Xkxod9M4s//W5kQMprYhBoT092AG9Gz6znBQZHCVXG+xS s4oeO5ApmLCefVAAwUfH2OtRwaXy61Kl5X1rTr4xIlY=;
X-AuditID: c1b4fb30-671b09e000007d19-31-5be05382d629
Received: from ESESSMB503.ericsson.se (Unknown_Domain [153.88.183.121]) by sesbmg22.ericsson.net (Symantec Mail Security) with SMTP id FE.FF.32025.28350EB5; Mon, 5 Nov 2018 15:28:18 +0100 (CET)
Received: from ESESBMR506.ericsson.se (153.88.183.202) by ESESSMB503.ericsson.se (153.88.183.191) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3; Mon, 5 Nov 2018 15:28:17 +0100
Received: from ESESBMB505.ericsson.se (153.88.183.172) by ESESBMR506.ericsson.se (153.88.183.202) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3; Mon, 5 Nov 2018 15:28:17 +0100
Received: from EUR02-AM5-obe.outbound.protection.outlook.com (153.88.183.157) by ESESBMB505.ericsson.se (153.88.183.172) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3 via Frontend Transport; Mon, 5 Nov 2018 15:28:17 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=FTcbEyIcRMeuwrlJUCNKiQb/R2JuMENhPB6MR6k8G3g=; b=kIzfbn3Lfddxe2wrmTnuOMmQWcSw/uInxFeV9mGG47NImZQOl8dHDxhafW0+RaScycaUq40eAeWx4SomULRh82Z5YrgPf+gN4z8Uc2AsB8JRz7TSQszskbDJAgh7U9A3UuNzCPclHeOD45RwUNPpzQEZPgQEW6zUEKzCdkynKto=
Received: from AM6PR07MB4728.eurprd07.prod.outlook.com (20.177.38.92) by AM6PR07MB4614.eurprd07.prod.outlook.com (20.177.38.208) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1294.10; Mon, 5 Nov 2018 14:28:17 +0000
Received: from AM6PR07MB4728.eurprd07.prod.outlook.com ([fe80::645d:55b6:824c:b390]) by AM6PR07MB4728.eurprd07.prod.outlook.com ([fe80::645d:55b6:824c:b390%2]) with mapi id 15.20.1294.032; Mon, 5 Nov 2018 14:28:17 +0000
From: Miika Komu <miika.komu@ericsson.com>
To: hip WG <hipsec@ietf.org>
Thread-Topic: IESG review of NAT traversal draft and encrypted parameters
Thread-Index: AQHUdRPKVFbj2E0doUehU8k1DBLn/w==
Date: Mon, 05 Nov 2018 14:28:16 +0000
Message-ID: <677e527a-bf01-3473-7f49-ff92b428e603@ericsson.com>
Accept-Language: fi-FI, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-clientproxiedby: AM6PR06CA0017.eurprd06.prod.outlook.com (2603:10a6:20b:14::30) To AM6PR07MB4728.eurprd07.prod.outlook.com (2603:10a6:20b:19::28)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=miika.komu@ericsson.com;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [89.166.49.243]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; AM6PR07MB4614; 6:FnSZiKu4T8PG2JXVy9HOeh17V+omT5SNpvPyg+llnfZFKALiW/V82yNOycAVSZuke/3ANGzjQMOoV3kuUAfQBVm/lObMh0fj5cW/uiNN9FqtcsA835ETbLH9jBX2UHxjr7WHmFVMWVhFKxhKFl8hxUF/hpF+hKitNHNl4g0W8Vj9Ty/LOF0x02hsT+snCHoO5bvphchOYpGKEp3c48bgQEDRy3vorQmQ08UB3AMFLK/5Lrm8VazVBAjBROSDfZsnZJdm+SJnY6wFqq/nXbVtkHO+5tJiNO8odmKxdSfxRmAoXgyiPEda+jcoIlVwb7KjsjH2iGX9DWnzbgRzhYl1sdOR4v+tPWyiVT55x23fnYRoaYmI0XYKs8rjaJjAuPCMO7EAU0g4YlPNy6CWoguVf3wUmw3Ah1l5bLVvvOq8TcvpPUygPfMqlvtLyFz1CyYsKKZsBSQ5nw6uWsFYfan3tg==; 5:qIR3lLbDEaKFs2sU5MKMHKLITAnvjKOKZmznBlZmGeGK1l771e54yPY4e+WjwMOIgAGEUF4pOi/3pfvtuJIxFvvV4OESuORmUQS3nhJUznLIpvNzuvCvM9/SdGpu1llJCZvvyy5ZI6i8EJwGzzdCdt8MRGbjw9j8z+fZSG44aw4=; 7:HIYHraB9X8Sjx5+thyd+WfwAILYkEJUgYOarJOHh6XWCdYF8dEEgXumoQzyIjpPN/Tp+MeuHDhZmCiHt1Km8QVcfzVM01Zgz0I2Fx0eNQI2dCeuHr0J0f+YjPAmy84MZZPsdCJzCiClGjOXtDGnFrQ==
x-ms-office365-filtering-correlation-id: 9c770e26-cb28-4235-19b7-08d6432aec72
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989299)(5600074)(711020)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7153060)(7193020); SRVR:AM6PR07MB4614;
x-ms-traffictypediagnostic: AM6PR07MB4614:
x-microsoft-antispam-prvs: <AM6PR07MB461468796E63CCBF8BB2F0BFFCCA0@AM6PR07MB4614.eurprd07.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(17755550239193);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(5005006)(8121501046)(3231382)(944501410)(52105095)(3002001)(10201501046)(93006095)(93001095)(148016)(149066)(150057)(6041310)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123562045)(20161123560045)(20161123564045)(20161123558120)(201708071742011)(7699051)(76991095); SRVR:AM6PR07MB4614; BCL:0; PCL:0; RULEID:; SRVR:AM6PR07MB4614;
x-forefront-prvs: 08476BC6EF
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(396003)(136003)(39860400002)(366004)(346002)(376002)(199004)(189003)(36756003)(105586002)(8936002)(6916009)(3846002)(5660300001)(6116002)(53936002)(68736007)(52116002)(31686004)(25786009)(102836004)(2616005)(81156014)(476003)(2906002)(14454004)(97736004)(478600001)(26005)(256004)(8676002)(305945005)(2900100001)(86362001)(99286004)(7736002)(81166006)(6436002)(31696002)(316002)(486006)(106356001)(386003)(66066001)(186003)(71190400001)(6486002)(71200400001)(6512007)(6506007)(44832011); DIR:OUT; SFP:1101; SCL:1; SRVR:AM6PR07MB4614; H:AM6PR07MB4728.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: itlzvmECEk7haf7PhDQY1jEwSplAhEDPaJnKOc28ox0tle0yMwqc9kiOzAW6IvmTl8hBzJ6kkKpfqUiphTi+FbmSBBcJIVi53buZ8d6quD9wzNz2LsRVpd6gR6UNQpg5D2n01YnEtbvUPTRqVgdTt12VcGnssiuLY4NpVz6iCD2yeLFushAC5SILaLO+sKjMLphLtJJSgOZbhcTwipQQc4S5qtTdhTIVG1ezi9jHT2ZbbxJW9EbcOzoMoVnbhuQw6MPEQ7k+9JaFwd0mZWdsiFMLERSqWKxy1WY3fnMJ3gpthbmYweZdu6+2OgZfdt1lWT3iqzsgsBOb9TQ8s+3ABlhzeRA60ABaL5vPk68Y9cU=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <CBE906D5C7CAC74CB1F8F352ED4AAA6E@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 9c770e26-cb28-4235-19b7-08d6432aec72
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Nov 2018 14:28:16.9943 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR07MB4614
X-OriginatorOrg: ericsson.com
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFupkleLIzCtJLcpLzFFi42KZGbG9Urcp+EG0wYmlPBZTF01mdmD0WLLk J1MAYxSXTUpqTmZZapG+XQJXxvLGecwFrzgrfq8paWA8wdnFyMkhIWAiMXn3UbYuRi4OIYEj jBJvG/ezQDhfGSVm7H7HCOcc37YJqmwxk8SLDQ+ZQfpZBCYwS0w+kwmRmMgk0f3kBhOE85BR Yu+xrUwgVWwCWhKr7lwH6xARkJHYsOkFK4gtLOAi8eBmHxNE3FNi26eLUDV6Eht7GlkgNqhI rDjxnB3E5hWwl2jrWAtWzyggK7Fy8z+wemYBcYlbT+YzQXwkILFkz3lmCFtU4uXjf6wgB0kI TGeUmLf1HitEc5RE96t+FogiHYmz158wQtiKEmffPYQaJCtxaX43I0TzNTaJtsbZUA2+Ei/X PWSCSBxnlPj9eBdUt5bEvKvLWSHsbIlbe09Dxa0kfixZwA5hy0ms6n3IAtXMLPGurZ91AqPh LCRvzGLkALI1Jdbv0ocIe0hcXrSXGcJWlJjS/ZB9Fjg0BCVOznzCsoCRdRWjaHFqcVJuupGR XmpRZnJxcX6eXl5qySZGYAI5uOW3wQ7Gl88dDzEKcDAq8fBqOj6IFmJNLCuuzD3EKMHBrCTC q8QGFOJNSaysSi3Kjy8qzUktPsQozcGiJM5r4bc5SkggPbEkNTs1tSC1CCbLxMEp1cDIGBhp LW6c8XmGE98hps+OuUF/nM75S+7tW1qwft9Nq+LYaH1LvkcikkdXtXvMTOhY4yC3/KT0lB0/ 7xtLMnSvmPIw3THZfccpTtGkr8GvmE48bAo+Pzuq+nb+lSS2Y5/qi77xC5TL+AWZ/TnPE/ye ffYW36UK8dV+houU5/jkX1HNmDGvnEuJpTgj0VCLuag4EQAPK3yxHAMAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/hipsec/Lpo9VVnjpSisEt3YjHkSDOUL8u4>
Subject: [Hipsec] IESG review of NAT traversal draft and encrypted parameters
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/hipsec/>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Nov 2018 14:28:22 -0000

Hi folks,

I am finally trying scratch some time to address IESG feedback related 
to NAT traversal draft. Eric Rescorla (among others) questioned why we 
have chosen to have the locators (aka candidates) in plaintext whereas 
in ICE, the locators are XORred to protect against middlebox tampering. 
The original reasoning for this is was that because that is the way 
non-NAT traversal version of the HIP works (RFC7401).

I don't think we need XORring with HIP because we have more powerful 
mechanisms in HIP. So, I am going to add some text that mandates that 
the LOCATOR parameter must be encapsulated inside ENCRYPTED parameter 
when ICE-HIP-UDP will be used. The tradeoff here is that we favor 
end-host privacy at the cost middlebox transparency.

Please let me know during the two next weeks if you disagree, otherwise 
I consider the issue to be resolved at least from the WG perspective.